search
githubEdit

John

hashtag
Identifying Hashes

  • https://hashes.com/en/tools/hash_identifier

  • https://www.tunnelsup.com/hash-analyzer/

  • https://md5hashing.net/hash/

hashtag
Online Hash Crackers

  • https://crackstation.net

  • https://hashes.com/en/decrypt/hash

hashtag
Format-Specific Cracking

Once you have identified the hash that you're dealing with, you can tell john to use it while cracking the provided hash using the following syntax:

john --format=[format] --wordlist=[path to wordlist] [path to file]

  • This is the flag to tell John that you're giving it a hash of a specific format, and to use the following format to crack it

  • --format=

hashtag
Example Usage:

john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash_to_crack.txt

  • A Note on Formats:

  • When you are telling john to use formats, if you're dealing with a standard hash type, e.g. md5 as in the example above, you have to prefix it withraw- to tell john you're just dealing with a standard hash type, though this doesn't always apply.

  • To check if you need to add the prefix or not, you can list all of John's formats using john --list=formats and either check manually, or grep for your hash type using something like

hashtag
Cracking Windows Hashes

hashtag
NTHash and NTLM

  • NThash is the hash format that modern Windows Operating System machines will store user and service passwords in.

  • It's also commonly referred to as "NTLM" which references the previous version of Windows format for hashing passwords known as "LM", thus "NT/LM". -You can acquire NTHash/NTLM hashes by dumping the SAM database on a Windows machine.

  • By using a tool like Mimikatz or from the Active Directory database: NTDS.dit.

  • You may not have to crack the hash to continue privilege escalation- as you can often conduct a "pass the hash" attack instead, but sometimes hash cracking is a viable option if there is a weak password policy.

hashtag
Cracking Hashes on Linux

hashtag
Unshadowing

  • John can be very particular about the formats it needs data in to be able to work with it, for this reason- in order to crack /etc/shadow passwords, you must combine it with the /etc/passwd file in order for John to understand the data it's being given. To do this, we use a tool built into the John suite of tools called unshadow. The basic syntax of unshadow is as follows:

  • unshadow - Invokes the unshadow tool

  • [path to passwd] - The file that contains the copy of the /etc/passwd file you've taken from the target machine

  • [path to shadow] - The file that contains the copy of the /etc/shadow file you've taken from the target machine

hashtag
Example Usage:

hashtag
Note on the files

  • When using unshadow, you can either use the entire /etc/passwd and /etc/shadow file- if you have them available, or you can use the relevant line from each, for example:

  • FILE 1 - local_passwd

  • Contains the /etc/passwd line for the root user:

  • FILE 2 - local_shadow

  • Contains the /etc/shadow line for the root user:

hashtag
Cracking

  • We're then able to feed the output from unshadow, in our example use case called "unshadowed.txt" directly into John.

  • We should not need to specify a mode here as we have made the input specifically for John.

  • However in some cases you will need to specify the format as we have done previously using: --format=sha512crypt.

hashtag
Cracking Zip Password Protected File

hashtag
Zip2John

  • Similarly to the unshadow tool that we used previously, we're going to be using the zip2john tool to convert the zip file into a hash format that John is able to understand

  • The basic usage is like this:

  • [options] - Allows you to pass specific checksum options to zip2john, this shouldn't often be necessary

  • [zip file] - The path to the zip file you wish to get the hash of

  • > - This is the output director, we're using this to send the output from this file to the...

  • [output file] - This is the file that will store the output from

hashtag
Example Usage

hashtag
Cracking

  • We're then able to take the file we output from zip2john in our example use case called "zip_hash.txt" and, as we did with unshadow, feed it directly into John as we have made the input specifically for it.

hashtag
Cracking a Password Protected RAR Archive

hashtag
Rar2John

  • Almost identical to the zip2john tool that we just used, we're going to use the rar2john tool to convert the rar file into a hash format that John is able to understand.

  • The basic syntax is as follows:

  • rar2john - Invokes the rar2john tool

  • [rar file] - The path to the rar file you wish to get the hash of

  • > - This is the output director, we're using this to send the output from this file to the...

  • [output file] - This is the file that will store the output from

hashtag
Example Usage

hashtag
Cracking

  • Once again, we're then able to take the file we output from rar2john in our example use case called "rar_hash.txt" and, as we did with zip2john we can feed it directly into John..

hashtag
Cracking SSH Keys

hashtag
SSH2John

  • As the name suggests ssh2john converts the id_rsa private key that you use to login to the SSH session into hash format that john can work with.

  • Note that if you don't have ssh2john installed, you can use ssh2john.py, which is located in the /opt/john/ssh2john.py.

  • If you're doing this, replace the ssh2john command with python3 /opt/ssh2john.py or on Kali, python /usr/share/john/ssh2john.py.

  • ssh2john - Invokes the ssh2john tool

  • [id_rsa private key file] - The path to the id_rsa file you wish to get the hash of

  • > - This is the output director, we're using this to send the output from this file to the...

  • [output file] - This is the file that will store the output from

hashtag
Example Usage

hashtag
Cracking

  • For the final time, we're feeding the file we output from ssh2john, which in our example use case is called "id_rsa_hash.txt" and, as we did with rar2john we can use this seamlessly with John:

hashtag
PGP Keys

  • Have a file tryhackme.adc (the PGP Private Key block) and credential.pgp (the encrypted file)

  • Use gpg2john output the PGP key to a hash format

  • Should look like this:

  • Crack the hash

  • Should end up with the file contents

  • Now need to use gpg to import the key back on the target box

hashtag
GPG Errors

  • Errors populates despite it being the correct key -> Memory daemon needs restarting

hashtag
Rule Based Attacks

  • Also known as hybrid attacks.

  • Assumes attacker knows something about the password policy.

  • John config file:

  • Look for List.Rules to see the available rules.

  • Example:

  • best64 rule contains the best 64 built in John Rules.

  • To use:

  • --wordlist= to specify the wordlist or dictionary file.

  • --rules to specify which rule or rules to use.

  • --stdout to print the output to the terminal.

  • |wc -l to count how many lines John produced.

  • By running the previous command we have expanded our password list from 1 (tryhackme) to 76.

hashtag
Another Good Rule to use:

hashtag
Creating Custom Rules

  • we want to add special characters to the beginning and a number to the end, the format would be:

  • We can add our rule to the end of john.conf:

[List.Rules:THM-Password-Attacks] specify the rule name THM-Password-Attacks.

  • Az represents a single word from the original wordlist/dictionary using -p.

  • "[0-9]" append a single digit (from 0 to 9) to the end of the word. For two digits, we can add "[0-9][0-9]" and so on.

  • ^[!@#$] add a special character at the beginning of each word. ^ means the beginning of the line/word. Note, changing ^ to $ will append the special characters to the end of the line/word.

hashtag
Note

  • All credit goes to the creator(s) of the John the Ripper Tool on THM.

  • www.tryhackme.com/room/johntheripper0

PreviousHydra User GuideNextLinux Basics

Last updated